Why You’re Not Seeing All Web Searches with Cisco Firepower

When you're using Cisco Firepower (aka Cisco Secure Firewall) with Fastvue Reporter, it makes sense to expect clear visibility into what people are searching for online, especially when monitoring for harmful or inappropriate activity.

But there’s a frustrating issue: some search terms just don’t appear in alerts or reports. Not because there is an issue with your setup, but because Cisco Firepower never logs them in the first place.

The Problem: Cisco Firepower does not log every web request

Cisco Firepower logs data based on connections, not every individual request inside those connections.

Modern browsers (like Chrome or Edge) are designed to be efficient. When you visit a website like Google or Bing, the browser might load everything — the homepage, logos, ads, search results, and more — using just one or two secure connections.

Those connections may include dozens of individual web requests, but Firepower only logs the first and last request in each connection.

This is configurable within each Access Policy Rule.

Let's look at a real example: A Google Search

When you search Google for "self harm help", your browser might send requests like:

1. https://www.google.com/ ← Logged

2. https://www.google.com/favicon.ico

3. https://www.google.com/gen_204?client=chrome

4. https://www.google.com/complete/search?q=self+harm+he

5. https://www.google.com/search?q=self+harm+help ← 🎯 THIS is the actual search

6. https://www.google.com/xjs/_/js/k=

7. https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png

8. https://www.google.com/search/howsearchworks/

9. https://www.google.com/search?q=related+terms

10. https://www.google.com/gen_204?atyp=csi ← Logged

Cisco Firepower will log the first and last requests in the connection (#1 and #10), but the actual search query in #4 is never logged.

That means Fastvue Reporter never sees it, and no alert is triggered.

What we're doing about it

Cisco is aware of the limitation and have a feature enhancement logged here (requires a Cisco login).

Fastvue is working closely with various people within Cisco who also want to see this working, and we’re hopeful that this feature enhancement will make it into a future update soon.

If you would like to keep up to date with the progress of the issue, please open a support case with Cisco, referencing the issue number CSCwa52633.

In the meantime, if your organization needs full, accurate logging of web searches, there is a solution.

A Cisco product that does log web searches: Umbrella SIG

Cisco Umbrella Secure Internet Gateway (SIG) logs every individual web request — including all search queries, and Fastvue Reporter supports Cisco Umbrella SIG today. You’ll see:

• Every search term

• Every visited URL (when needed)

• Clear reports and alerts that actually show what users are doing online

Final thoughts

If you’re using Cisco Firepower and wondering why certain web searches aren’t triggering alerts — the issue isn’t with your configuration or with Fastvue. It’s a limitation of how Firepower logs web traffic.

We’re continuing to work closely with Cisco to address this gap. In the meantime, for organizations that need immediate, accurate visibility into all web requests, Fastvue Reporter for Cisco Umbrella SIG is a robust and proven solution.

Download a free trial now, or book a demo if you'd like to see it in action!